Performance Audit No. 13-02 A Performance Audit of - Utah.gov

Office of the Utah State Auditor P a g e | 1

Performance Audit No. 13-02

A Performance Audit of State Agency Internal Audit Services

OFFICE OF THE

UTAH STATE AUDITOR David Pulsipher, CIA, CFE Rachel Dyer, MPA Nick Purse, JD, MPA


Page Left Blank Intentionally


OFFICE OF THE

UTAH STATE AUDITOR

26 August 2013

The Office of the Utah State Auditor has conducted A Performance Audit of State Agency Internal Audit Services and presents its findings herewith. Internal auditors, when used correctly, can provide great value to state agencies and taxpayers by evaluating prioritized risk areas within the agency, ensuring proper use and accounting of state resources, assessing the efficiency of agency operations, and determining the effectiveness of agency programs. Agency heads can use the independent evaluation provided by the internal auditors to minimize agency risk and improve the overall operations of the agency. An effective internal audit program, when used correctly, is one of the most impactful management tools available to control risks and improve overall agency performance. On the contrary, agencies with low-functioning or non-existent internal audit programs may overlook agency risk areas, thus allowing fraud, waste, abuse, and mismanagement to perpetuate. Rather than addressing risk areas internally, concerns can escalate into larger problems that may require more drastic measures to correct. This audit report addresses several ways that the state agency internal audit programs could improve to better utilize this valuable control. Field work for this audit, which commenced in March 2013 and concluded in June 2013, included the following:

An analysis of the Utah Internal Audit Act and applicable professional auditing standards.

A review of the existing internal audit programs (if any) within state agencies.

Analysis of individual state agency internal audit policies in addition to the practices and procedures of other states with similar auditing programs.

Discussions with agency heads, internal auditors, and other agency employees about internal auditing within their agencies.

Finding 1 notes that, in addition to violating statute, some state agencies create additional risk by not having internal audit programs. Finding 2 demonstrates the benefits of having internal auditors to review smaller state agencies and other risk areas. Finding 3 addresses concerns that some state agency internal audit offices are not sufficiently independent from agency management. Finding 4 cites the importance that formalized policy can have on maintaining an effective internal audit program. Finding 5 cites the impact of functioning audit committees. This audit was performed in accordance with applicable Government Auditing Standards, issued by the Comptroller General of the United States. We recognize and appreciate the cooperation of the Governor’s Office of Management and Budget, agency executive directors, and state agency internal audit staff throughout the course of this audit. Sincerely,

David S. Pulsipher, CIA, CFE Performance Audit Director




Executive Summary

State agency internal audit functions, when used correctly, can serve as an effective management control to promote good governance. This audit makes recommendations to improve and strengthen state agency internal audit programs.1

Finding 1: Contrary to Statute, Some State Agencies Do Not Have an Internal Audit Program

Internal auditing serves as a management control to review areas of agency management concern and proactively prevent fraud, waste, abuse, and mismanagement. Therefore, the Utah Internal Audit Act (“act”) requires that certain higher risk state agencies conduct various audit procedures and appoint or employ an internal audit director. However, some state agencies do not currently have internal audit programs, creating a lack of independent internal review of agencies that receive and expend state funds and resources. Therefore, we recommend that all state agencies listed in the act comply with the requirement to establish an internal audit program.

Finding 2: Centralized Audit Coordination Could Improve Agency Oversight

Eleven state agencies, including five mentioned in Finding 1, do not have internal audit staff, limiting agency oversight of $433 million in appropriations. Recent audits highlight concerns that can arise in agencies without effective internal auditor programs. Additionally, the Governor’s Office would benefit from having access to internal auditors to assist with internal audits of any state agency, as requested by the governor, lieutenant governor, or their staff. Therefore, we recommend that the Legislature create a shared internal audit office with sufficient auditors to conduct regular risk-based internal audits of agencies that do not have internal audit programs as well as additional internal audits of all state agencies, as needed. State agency internal audit programs would increase their overall effectiveness by sharing resources and improving inter-agency collaboration. Some states centralize the state agency internal audit programs in order to gain these economies of scale. We recommend that the Governor’s Office facilitate resource sharing—including staff, audit tools, and training opportunities—among state agency internal audit offices.2

1 For purposes of this audit, the phrase “internal audit program” refers to the mechanism, including contract

auditing, used by an agency to fulfill statutory obligations of the Internal Audit Act. 2 For purposes of this audit, the phrase “internal audit office” refers to a division, bureau, or office within an

agency whose sole purpose is to perform an agency’s internal audit program.


Finding 3: Performing Operational Responsibilities Jeopardizes Auditor Independence

Some state agency internal auditors assume non-audit, operational responsibilities, impairing their independence to objectively audit certain agency operations in the future. The act requires that audits be conducted independently and according to professional auditing standards. Foremost among these requirements is auditor independence from management responsibilities. Therefore, we recommend agency heads ensure that audit staff do not participate in management responsibilities outside of the internal audit office.

Finding 4: Formalized Agency Policy Could Increase Internal Audit Effectiveness

Inadequate policies contributed to internal auditor participation in management and operational responsibilities for the three state agencies cited in Finding 3. Formalized internal audit policies should clearly define the role of a state agency’s internal audit program and help to prevent conflicts that may impair an auditor’s effectiveness. However, most state agencies do not have formalized internal auditing policies that fully comply with statute. We recommend that any state agency with an internal audit program that does not have an internal audit policy create and implement such policy. In addition, we recommend that agencies with deficient policies modify their policies to ensure full compliance with the act.

Finding 5: Effective Audit Committees Increase Management Accountability

The act requires the agency internal audit director to report to the agency head and to an audit committee, if one has been established. A functional reporting relationship to an audit committee—which is recommended by auditing standards—strengthens an audit program’s ability to audit independently by limiting management control over audit scope and findings. State agencies are the only entities cited in the act that do not use independent audit committees. We recommend that the governor consider requiring state agency internal audit directors to functionally report to an audit committee, as encouraged by audit standards. We also recommend that the Legislature clarify the act to allow an audit committee to serve multiple state agencies.


Table of Contents

Introduction .................................................................................................................................. 3 Executive Summary ....................................................................................................................... 5 Background: ................................................................................................................................. 9 Finding 1: Contrary to Statute, Some State Agencies Do Not Have an Internal Audit Program ......... 11 Four State Agencies Do Not Have Internal Audit Programs, Despite Statutory Requirement ...................................................................... 11

Internal Auditors Contribute to Agency Risk Management ........................................................ 13 Recommendation ........................................................................................................................ 14 Finding 2: Centralized Audit Coordination Could Improve Agency Oversight ................................... 15 Smaller State Agencies Receive Minimal Internal Audit Review ................................................. 15 The Governor’s Staff Has Relied on Independent Auditors to Conduct Audits .......................... 17 Inadequate or Absent Internal Audit Programs Have Contributed to Ongoing Agency Concerns .................................................................................. 17 Some States Centralize State Agency Audit Programs ................................................................ 18 Resource Sharing Would Increase State Agency Audit Capabilities ........................................... 20 Recommendations ....................................................................................................................... 21 Finding 3: Performing Operational Responsibilities Jeopardizes Auditor Independence .................. 23 Statute Requires that Audits Be Conducted Independently And According to Professional Auditing Standards ..................................................................... 23 Assuming Non-Audit, Operational Responsibilities Limits Audit Capabilities for Four Agencies ................................................................................. 24 Audit Standards Require Independence From Management and Operational Responsibilities .......................................................................... 26 Recommendations ....................................................................................................................... 27


Finding 4: Formalized Agency Policy Could Increase Internal Audit Effectiveness ............................. 29 Insufficient Policy Contributed to Auditor Limitations ................................................................ 29 Audit Policy Should Clearly Define Audit Program Role .............................................................. 31 Recommendations ....................................................................................................................... 31 Finding 5: Effective Audit Committees Increase Management Accountability .................................. 33

Functional Reporting to an Audit Committee Increases Auditor Effectiveness and Objectivity ......................................................................... 33

An Audit Committee Should Include Members Who Do Not Have Administrative Responsibilities Within the Agency ........................................................... 35 State Agencies Do Not Properly Use Audit Committees ............................................................. 35 Recommendations ....................................................................................................................... 38 Appendix A: Utah Internal Audit Act .............................................................................................. 39 Appendix B: Michigan Executive Order No. 2007-31 ....................................................................... 49 Agency Response ........................................................................................................................... 57


Background

The Utah State Legislature enacted the Utah Internal Audit Act (“act”), currently Utah Code 63I-5, during the 1995 General Session as the governing statute for the state agencies’ internal audit programs (see Appendix A). The act requires that certain state agencies “conduct various types of auditing procedures as determined by the agency head or governor.” In addition, the governor “may, by executive order, require other state agencies to establish an internal audit program.” An agency head may also establish an internal audit program “if the agency administers programs that: (1) might pose a high liability risk to the state; or (2) are essential to the health, safety, and welfare of the citizens of Utah.” According to the House of Representatives sponsor of the bill creating the act, each state agency listed in the act had an audit office at the time of passage and the act was intended to ensure the preservation of those audit offices, particularly in the event of budget cuts or changes in agency administration. The purpose of the act, according to the legislators who sponsored it, was to set up a means whereby state agencies could review risk areas internally and address concerns proactively. An effective internal audit program provides an independent evaluation of risk areas to the agency head or audit committee, if one has been established. The agency head or audit committee uses internal audits to oversee the implementation of recommendations that should address the causes of the discrepancies between what is required and what is actually occurring in the audited area. In contrast to external audits, internal audits are generally intended to mitigate agency risks internally, allowing management to proactively correct concerns. An effective internal audit program provides many potential benefits, including:

Agency cost savings through greater efficiency

Decreased agency liability

Improved agency oversight, accountability, and governance

Increased public safety

Improved risk management

This audit identifies some of the higher risk areas of state agency non-compliance with the act and auditing standards and makes recommendations to increase the overall effectiveness of state agency internal audit programs.

The scope of this audit was limited to evaluating the internal audit programs within state agencies. Those state agencies cited specifically in the act and subject to this audit include the following: the departments of Administrative Services, Agriculture, Commerce, Heritage and Arts, Corrections, Workforce Services, Environmental Quality, Health, Human Services, Natural Resources, Public Safety, and Transportation, and the state Tax Commission. The audit also addresses the potential impact of internal auditors on smaller state agencies not specifically mentioned in the act.




Finding 1 Contrary to Statute, Some State Agencies Do Not Have an Internal Audit Program

Internal auditing serves as a management control to review areas of agency management concern and proactively prevent fraud, waste, abuse, and mismanagement. Therefore, the Utah Internal Audit Act (“act”) requires that certain higher risk state agencies conduct various audit procedures and appoint or employ an internal audit director. However, some state agencies do not currently have internal audit programs, creating a lack of independent internal review of agencies that receive and expend state funds and resources. Therefore, we recommend that all state agencies listed in the act comply with the requirement to establish an internal audit program.

Four State Agencies Do Not Have Internal Audit Programs, Despite the Statutory Requirement The act, passed during the 1995 Legislative General Session, requires that certain state agencies “conduct various types of auditing procedures as determined by the agency head or governor.” However, four of the 13 state agencies cited in statute do not have agency internal audit programs. The state agencies required by statute to have internal audit programs include the following:

Administrative Services

Agriculture

Commerce

Corrections

Environmental Quality

Health

Heritage and Arts

Human Services

Natural Resources

Public Safety

Transportation

Workforce Services

Tax Commission

Additionally, the act allows the governor or an agency head to establish an internal audit program for state agencies that,

(i) might pose a high liability risk to the state; or (ii) are essential to the health, safety, and welfare of the citizens of Utah. The Department of Technology Services and Department of Alcohol and Beverage Control (DABC), though not specifically mentioned in the act, recently each established internal audit offices based on recommendations from an external auditor and the Office of the Legislative Auditor General, respectively. Senate Bill 66 from the 2012 Legislative General Session


modified the act to require DABC to “conduct various types of auditing procedures as determined by the Alcoholic Beverage Control Commission.” The purpose of a state agency internal audit program, according to the sponsors of the bill creating the act, was to require internal agency controls to prevent and detect areas of management concern that could be resolved internally. The act requires that the agency head “appoint or employ an agency internal audit director with the consent of the audit committee, if an audit committee has been established.” It appears that the current lack of complete compliance with the act can be attributed to a failure to recognize the benefits and purpose of internal auditors, a lack of agency awareness of requirements in the act, or lack of budget prioritization. Figure 1.1 lists the state agencies that are specifically cited in the act as those that are required to have an internal audit program. Figure 1.1 State Agencies Required To Have an Internal Audit Program

Agency Internal Auditors FY 2013 Agency Budget

(in millions) Agency FTE

Administrative Services* 0.2 $53.5 445 Agriculture 0 29.4 502

Commerce 0 46.2† 249 Corrections 4 264.6 2,108 Environmental Quality 0 49.9 419 Health** 5 2,395.6 1,251 Heritage and Arts 1 141.4 134 Human Services 6 661.9 4,325 Natural Resources 3 178.7 1,305 Public Safety 0 212.8 1,531 Tax Commission 2 89.8 787 Transportation 7 1,101.8 1,632 Workforce Services 7 731.5 1,879 *Administrative Services contracts with a part-time auditor **The Office of the Medicaid Inspector General has 27 staff that review $2,179 million dollars of this budget †This amount includes collections from licensees, some of which is transferred to the state General Fund.

The Department of Commerce used an existing employee to perform an internal audit function in 2012, in addition to his full-time job duties for the Division of Consumer Protection. Though the department employee conducted a fixed asset review for the department, he does not appear to fulfill the functions of an internal auditor. Due to potential internal conflicts of interest caused by this person’s organizational placement in the agency, independence concerns, inadequate reporting structure and audit authority, insufficient agency auditing policies, and other general areas of noncompliance with the act and with standards, it does not appear that this position should be considered an internal auditor.


In addition to performing “various types of auditing procedures,” the act requires that an agency head ensure that the internal audit program possesses the following characteristics (see Utah Code 63I-5-302(3) in Appendix A):

Sufficient audit staff employed by the audit director

Compensation and advancement based on job performance

Collective possession of necessary auditing skills

Qualified staff to “meet audit responsibilities”

Freedom from “operational and management responsibilities”

Access to agency personnel, records, data, and other information necessary for audits

Direct reporting from the audit director to the agency head or audit committee, if established

We recommend that agencies that do not currently have an internal audit program, and are required to do so, establish an internal audit program that includes the statutorily-required characteristics. Finding 2 lists recommendations for a cost-effective internal audit program for agencies such as those cited in Figure 1.1. These recommendations include a potentially shared audit group to provide internal audit services based on statewide risk.

Internal Auditors Contribute to Agency Risk Management Effective internal auditors provide an internal review that independently assesses higher risk areas within an agency. The Institute of Internal Auditors (IIA) describes some of the benefits that an effective internal audit program could have on an organization in its definition of internal auditing:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (emphasis added)

State agency internal audit programs, when used effectively, have realized this value described by the IIA, including the following recent examples:


The Department of Corrections will reduce medical costs by approximately $2.5 million per year by utilizing alternative funding sources identified by its internal auditors.

The Department of Transportation auditors detected a $50,000 overbilling from a vendor.

Department of Natural Resources auditors identified almost $40,000 in underreported receipts from a vendor.

The Department of Health auditors mitigated public safety concerns and recovered wasted funds by detecting multiple instances of missing vaccines.

When used correctly, internal audit programs can be an effective management tool to identify and reduce risk while improving the overall efficiency of state agency operations. It appears, however, that some internal auditors are not used to their full potential in some state agencies. Recommendations to further improve existing and future state agency internal audit programs can be found throughout this report.

Recommendation

1. We recommend that the departments of Agriculture, Commerce, Environmental Quality, and Public Safety establish internal audit programs. This may include a shared audit office, as recommended in Finding 2.


Finding 2 Centralized Audit Coordination Could Improve Agency Oversight

Eleven state agencies, including five mentioned in Finding 1, do not have internal audit staff, limiting agency oversight of $433 million in appropriations. Recent audits highlight concerns that can arise in agencies without effective internal auditor programs. Additionally, the Governor’s Office would benefit from having access to internal auditors to assist with internal audits of any state agency, as requested by the governor, lieutenant governor, or their staff. Therefore, we recommend that the Legislature create a shared internal audit office with sufficient auditors to conduct regular risk-based internal audits of agencies that do not have internal audit programs as well as additional internal audits of all state agencies, as needed. State agency internal audit programs would increase their overall effectiveness by sharing resources and improving inter-agency collaboration. Some states centralize the state agency internal audit programs in order to gain these economies of scale. We recommend that the Governor’s Office facilitate resource sharing—including staff, audit tools, and training opportunities—among state agency internal audit offices.

Smaller State Agencies Receive Minimal Internal Audit Review As mentioned in Finding 1, four state agencies do not currently have internal audit programs, even though it is required of them by the Utah Internal Audit Act (“act”). An additional six state agencies could benefit from an internal audit program, although it is not necessarily required by statute. Finally, one state agency—the Department of Administrative Services—contracts its internal audit function and does not have internal audit staff. We are concerned that, without internal audit staff, these state agencies do not receive the benefits that come with regular internal reviews nor do the agency heads have the resources independent of the management chain of command to investigate areas of concern. Rather than creating internal audit positions in each of these agencies, the state may benefit by having a shared internal audit group that conducts regular audits of smaller state agencies that do not have internal auditors. Such an internal audit office could promote greater state agency accountability while also accomplishing the requirements of the act. Figure 2.1 details the state agencies that do not currently have internal auditors, including the Department of Administrative Services, which outsources its internal audit program.


Figure 2.1 State Agencies Without Internal Auditors

Agency FY 2013 Agency Budget (in millions)

Agency FTE

Administrative Services*† $53.4 445 Agriculture* 29.4 502 Board of Pardons and Parole 4.1 36 Commerce* 46.2** 249 Environmental Quality* 49.8 419 Financial Institutions 6.0 54 Human Resource Management 3.6 140 Insurance 10.1 87 Labor Commission 12.6 137 Public Safety* 212.8 1,531 Veteran’s Affairs 5.3 21 Total Required by Statute $391.6 3,146 Total of All Agencies Without Internal Auditors

$433.3 3,621

*Required by statute to have internal audit function **This amount includes collections from licensees, some of which is transferred to the state General Fund. † Administrative Services contracts internal audit services

Agency heads from some of these agencies claim they could potentially receive the following benefits from a shared internal audit group:

Improved ability to address concerns internally

Regular agency risk assessments

Enhanced management oversight

Greater agency efficiency

Better understanding of areas of agency underperformance Assuming auditors were allocated for these state agencies at a similar auditor-to-budget ratio as the state agencies with internal auditors listed in Finding 1, approximately four to five full-time auditors could provide the necessary coverage to the agencies listed in Figure 2.1. In addition to fulfilling statutory requirements by establishing an internal audit program for four state agencies, this internal audit group would serve a valuable function of evaluating the efficiency of state agency operations and the effectiveness of its programs.


The Governor’s Staff Has Relied on Independent Auditors to Conduct Audits Over the past three years, the Governor’s Office has asked for independent audits of state agencies on at least six occasions. Five audit requests appear to have required an independent review from outside the agencies being audited, while the other engagement was done on an agency that did not have its own internal auditors. These six audits provided the Governor’s Office with independent reviews addressing such concerns as alleged mismanagement, malfeasance, and fraud. The Governor’s Office relied on the expertise of auditors from other state agencies, the Office of the Utah State Auditor, and contract auditors to conduct some of this work. Some of these audits, in addition to other projects, could potentially have been completed internally by auditors in a shared audit group. An effective internal audit resource may also mitigate unnecessary risk within certain state agencies. Therefore, we recommend the Legislature create a shared internal audit office to conduct regular risk-based internal audits on state agencies that do not have internal audit functions as well as auditors to conduct additional internal audits at the request of the Governor’s Office.

Inadequate or Absent Internal Audit Programs Have Contributed to Ongoing Agency Concerns Recent legislative audits of the Department of Corrections, the Department of Health, and the Department of Alcohol and Beverage Control have cited ongoing concerns that were, in part, perpetuated by the lack of effective internal audit programs. Management influences over internal audit results, inadequate internal audit reporting structure, and absent or ineffective internal audit programs were among the concerns with the internal audit programs cited in the audit reports. An internal audit program cannot realize its potential without the independence created by an appropriate reporting structure and freedom from undue or improper management influence. We believe that similar concerns regarding absent internal audit programs exist in the agencies cited in Figure 2.1. In addition to requiring internal audit programs for specific state agencies, the act also states that,

An agency head may establish an internal audit program for the agency head’s agency if the agency administers programs that:

i) might pose a high liability risk to the state; or ii) are essential to the health, safety, and welfare of the citizens of

Utah


At least one of these two criteria applies to each of the 10 state agencies that do not currently have an internal audit program. With the exception of the Department of Public Safety, however, each of the agencies listed in Figure 2.1 have budget and staffing levels that may not necessarily justify one or more full-time auditors in each agency. A shared internal audit group would help to provide internal audit functions to smaller state agencies. We also recommend that the Legislature determine if the audit program for the Department of Public Safety, due to its size, be included in a centralized group or if the department should have its own internal audit program.

Some States Centralize State Agency Internal Audit Programs Several states believe that a centralized state agency internal audit program increases the auditors’ ability to independently report audit findings while gaining economies of scale. Internal auditors in these states serve at the pleasure of the governors’ offices and conduct their audits based on state agency-wide risk. Michigan Consolidated State Agency Audit Programs in 2007. Due to concerns regarding the effectiveness and independence of the state agency internal audit programs, and in an effort to minimize duplication of effort, the Michigan governor, by executive order, consolidated state agency internal audit programs into the state’s Office of Internal Audit Services (OIAS) (see Appendix B). The governor appointed a chief audit executive who oversees the state agency internal audit program and who reports to the state budget director. The executive order states that the consolidated function serves as an effort to,

[P]romote a more unified approach to internal audit functions within the executive branch of state government and improve the effectiveness of financial controls… increase administrative efficiencies… [and] ensure efficient administration and effectiveness of government.

The chief audit executive in Michigan’s OIAS reports the following advantages of a centralized state agency audit program:

Standardized audit process

Improved internal audit staff competency

Greater compliance with standards

Increased audit value

Ability to hire specialized auditors (e.g., information systems auditors, fraud examiners, etc.)

Decreased costs due to resource sharing and other internal collaboration

Additionally, initial concerns regarding the potential public nature of an audit program intended to report and correct audit findings internally and without attention have been partially resolved by establishing procedures in which the Michigan OIAS does not communicate audit


results outside of the agencies involved in the audit. The Michigan OIAS does not release public reports and refers legislative requests to the individual state agencies. Nevada’s Centralized Internal Auditors Report to an Audit Committee. Nevada’s Division of Internal Audits (DIA) has statutory authority to conduct performance audits of state agencies with the mission to “help agencies identify ways to enhance their operational efficiencies and effectiveness.” This division reports to a statutorily-defined audit committee comprised of the following individuals:

Governor (chair)

Lieutenant Governor

Secretary of State

State Treasurer

State Controller

Attorney General

Representative from the public Audits performed by Nevada’s DIA are published on their website and available to the public. Due to the structure and composition of the audit committee, independence—in practice and perception—is more easily maintained. This enables auditors the freedom to report the findings without fear of retribution by agency management or employees. However, the ability to solve problems internally is compromised by publishing public reports. Arizona has a Partially Centralized Internal Audit Program, but Findings Are Kept Internal. Similar to Michigan’s OIAS, Arizona’s centralized state agency auditors do not release public reports. Though some larger state agencies employ internal auditors, the General Accounting Office has the authority to audit any state agency or program. They are considered to be internal auditors and consultants to the state agencies, and do not publish reports on their website. While a centralized state agency internal audit program appears to benefit Michigan and Nevada, state agency internal audit programs in Utah might realize similar benefits by increasing agency internal audit program collaboration through a central contact. Similar to Arizona, the larger state agencies could continue to provide internal audit services, while a centralized internal audit office serves the needs of smaller state agencies as well as other risk areas. The shared internal audit office could also serve as a central contact for all state agency internal audit offices to best utilize state resources and improve the state agency internal audit programs.


Resource Sharing Could Increase State Agency Audit Capabilities State agency internal audit programs in various agencies would benefit from increased collaboration with other agency internal audit programs. Collective auditing and data mining software, shared use of specialized auditors, and increased coordination between audit offices would increase the overall success of state agency internal audit programs. Oversight from a central point of contact, such as the Governor’s Office, would help to facilitate resource sharing, share internal auditing procedures, and increase the level at which internal auditors impact the efficiency of state government. Staff Sharing Agreements Could Improve Audit Effectiveness. Some state agencies that have internal auditors are limited in the types of audits they can conduct due to staffing limitations and expertise. Most state agency internal audit offices do not have enough staff to justify hiring one or more full-time auditors with specialties in such areas as information systems auditing or fraud examination. Agency internal audit directors claim that having access to such specialty auditors would increase their ability to respond to specific agency needs that may require the services of such a specialized auditor. Access to a shared internal audit group, or an agency resource-sharing arrangement, could allow specific audits of any state agency to be staffed with qualified auditors and could increase the overall capability of the state agency internal audit programs. For example, a certain state agency may not be able to conduct a complex internal audit involving potential fraud if it did not have an auditor qualified to conduct such an engagement. Under the current arrangement, this agency would (1) conduct the audit without adequately-qualified staff, (2) outsource the audit, or (3) forego the audit. However, access to Certified Fraud Examiners employed in other state agencies or in the shared audit group would allow this agency to perform the engagement. Shared Tools Would Reduce Costs and Increase Auditor Effectiveness. State agency internal audit directors may not justify expensive data mining and other audit software that they would only use on select audits. However, state agency-wide resource sharing could spread the cost across multiple agencies and increase access to auditing tools. Increased access to available technology could improve the overall internal audit process while returning greater value to the individual internal audit programs. Collaborative Training May Increase Auditor Abilities. Audit standards require each auditor to obtain 80 hours of continuing professional education (CPE) every two years. Though some statewide training is available, it does not provide enough CPE to fulfill the requirement, nor is it always directly applicable to job functions. Most internal audit offices do not have the resources to provide quality training, nor do they have adequate association with their peers in other state agency internal audit offices.


Collaboration between agency internal audit offices would allow auditors to receive better ongoing training while learning best practices from their peers in other agencies.

Recommendations

1. We recommend that the Legislature create a shared internal audit office to conduct regular risk-based internal audits on agencies that do not have internal audit programs and to conduct additional internal audits at the request of the Governor’s Office.

2. We recommend that the Legislature review and reassess which agencies should implement individual internal audit programs and which should utilize a shared office.

3. We recommend that the Governor’s Office facilitate resource sharing—including staff, audit tools, and training opportunities—among state agency internal audit offices.




Finding 3 Performing Operational Responsibilities Jeopardizes Auditor Independence

Some state agency internal auditors assume non-audit, operational responsibilities, impairing their independence to objectively audit certain agency operations in the future. The Utah Internal Audit Act (“act”) requires that audits be conducted independently and according to professional auditing standards. Foremost among these requirements is auditor independence from management responsibilities. Therefore, we recommend agency heads ensure that audit staff do not participate in management responsibilities outside of the internal audit office.

Statute Requires that Audits Be Conducted Independently And According to Professional Auditing Standards The act requires that agency heads ensure that the

[I]nternal audit staff are free of operational and management responsibilities that would impair their ability to make independent audits of any aspects of the agency's operations.

In addition, statute requires that,

[A]gency internal audit directors ensure that audits are conducted in accordance with professional auditing standards such as those published by the Institute of Internal Auditors, Inc., the American Institute of Certified Public Accountants and, when required by other law, regulation, agreement, contract, or policy, in accordance with Government Auditing Standards, issued by the Comptroller General of the United States.

Statute specifically refers to standards from three separate organizations:

The Institute of Internal Auditors (IIA), which publishes the International Standards for the Professional Practice of Internal Auditing;

The American Institute of Certified Public Accountants (AICPA), which publishes the AICPA Professional Standards, which includes the Code of Professional Conduct and Bylaws; and

The U.S. Government Accountability Office (GAO), which publishes the Government Auditing Standards (The Yellow Book).

While the Government Auditing Standards are binding only “when required by other law, regulation, agreement, contract, or policy,” internal audits must be conducted in accordance


with professional auditing standards published by the IIA and AICPA. However, the Yellow Book serves as an excellent example of best auditing practices in government.

Assuming Non-Audit, Operational Responsibilities Limits Audit Capabilities for Four Agencies Agency management at the departments of Natural Resources (DNR), Human Services (DHS), and Corrections (UDC) have assigned non-audit, management or operational responsibilities to their internal auditors, which may threaten their audit office’s independence. Similar concerns exist in several other state agencies. While such arrangements appear convenient for the agencies, they also impair the internal audit programs’ ability to independently audit certain programs and limit the scope of future audits. Reporting functionally to an audit committee, as recommended in Finding 5, would reduce the tendency of an internal audit program to participate in operational and management responsibilities and create greater internal audit program independence. DNR’s Internal Audit Director Also Serves as the Agency Finance Director. Some of the responsibilities of the DNR finance director position include: (1) gathering the budgets from each division and preparing a budget compilation for the Governor’s Office and Legislature; (2) providing monthly training to the division finance managers; and (3) supervising an employee that is engaged in non-audit responsibilities. DNR management and the audit/finance director believe that the decentralized nature of the department allows the internal audit program to remain independent from the responsibilities of the finance function. While this may be the case with current management and personnel, this organizational structure is contrary to auditing standards and presents, at minimum, a perceived conflict of interest. Government Auditing Standards, issued by the Comptroller General of the United States, warn against “management participation threat,” or “the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit.” Government Auditing Standard 3.36 lists “examples of activities that are considered management responsibilities and would therefore impair independence if performed for an audited entity:


a. setting policies and strategic direction for the audited entity; b. directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities; c. having custody of an audited entity’s assets; d. reporting to those charged with governance on behalf of management; e. deciding which of the auditor’s or outside third party’s recommendations to implement; f. accepting responsibility for the management of an audited entity’s project; g. accepting responsibility for designing, implementing, or maintaining internal control; h. providing services that are intended to be used as management’s primary basis for making decisions that are significant to the subject matter of the audit; i. developing an audited entity’s performance measurement system when that system is material or significant to the subject matter of the audit; and

j. serving as a voting member of an audited entity’s management committee or board of directors.

Several duties of the finance director are cited as examples of impairments by Government Auditing Standards. In order to comply with standards and reduce impairments, whether perceived or actual, DNR should separate the duties of internal audit director and the finance director. DHS Internal Audit Staff’s Non-Audit Responsibilities Limit Audit Independence for Certain Audits. DHS internal auditors conduct management duties, such as helping divisions update their forecast models and writing and reviewing department policy. Although the agency internal auditors may be qualified to perform such management duties, doing so would prevent DHS internal auditors from objectively auditing these activities. Additionally, familiarity with these areas may prevent DHS auditors from detecting control weaknesses in areas in which they participated in implementing or creating policy. AICPA §55 Article IV.03 requires internal auditors to be “independent in fact and appearance.” In accordance with this policy, the AICPA also recognizes the “management participation threat,” which involves “[t]aking on the role of client management or otherwise performing management functions on behalf of an attest client.” Such actions may include “[s]erving as an officer or director of the client” or “[e]stablishing and maintaining internal controls for the client….” To better maintain their independence, we recommend that DHS’s audit office discontinue involvement in management duties such as writing policy and updating forecast models.


UDC’s Audit Office Involvement in Inmate Health Care Limits Objective Internal Audits on the Topic. The internal audit director was asked to assist in the implementation of audit recommendations that involved the use of Medicaid for qualified inmates and offenders. Due to the expertise that the agency internal auditors developed during the course of the audit, agency management asked the internal audit director to be the agency liaison with other state agencies, in addition to partially overseeing agency implementation of the program. These responsibilities created a conflict of interest and violated the act’s requirement for auditors to abstain from management and operational responsibilities. The IIA states that, “[a] conflict of interest would prejudice an individual’s ability to perform his/her duties and responsibilities objectively.” Ownership in these operational responsibilities would prevent the UDC audit office from performing an objective, unbiased assessment of certain aspects of inmate health care going forward. While this particular concern appears to be resolved because of personnel changes within the agency, UDC management should avoid similar situations going forward.

Audit Standards Require Independence From Management and Operational Responsibilities Professional auditing standards require auditor independence from management and operational responsibilities in order to report findings objectively and without bias. Figure 3.1 summarizes the independence requirements dictated both in statute and in audit standards.


Figure 3.1 Summary of Independence Requirements in Statute and Standards

Source Standard

Utah Internal Audit Act

63I-5-302(3)(e) "The agency head shall ensure that internal audit staff are free of operational and management responsibilities that would impair their ability to make independent audits of any aspects of the agency's operations."

IIA Standards

1130.A1 “Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.” 1130.A2 “Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity.”

AICPA Standards

.02 101-1—Interpretation of Rule 101. “Independence shall be considered to be impaired if . . . [d]uring the period covered by the financial statements or during the period of the professional engagement, a firm, or partner or professional employee of the firm was simultaneously associated with the client as a . . . [d]irector, officer, or employee, or in any capacity equivalent to that of a member of management….” (emphasis in the original)

Government Auditing Standards

3.14 Threats to Independence f. “Management participation threat - the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit.”

Sources: Utah Internal Audit Act, International Standards for the Professional Practice of Internal Auditing (Standards), AICPA Professional Standards, and Government Auditing Standards

By accepting management or operational responsibilities, several state agencies jeopardize the independence and effectiveness of their internal audit programs.

Recommendations 1. We recommend that the Department of Natural Resources executive director

separate the duties of internal audit director and finance director.

2. We recommend that the Department of Human Services executive director ensure that the internal audit office discontinues involvement in management duties such as writing agency policy and updating forecast models.




Finding 4 Formalized Agency Policy Could Increase Internal Audit Effectiveness

Inadequate policies contributed to internal auditor participation in management and operational responsibilities for the three state agencies cited in Finding 3. Formalized internal audit policies should clearly define the role of a state agency’s internal audit program and help to prevent conflicts that may impair an auditor’s effectiveness. However, most state agencies do not have formalized internal auditing policies that fully comply with statute. We recommend that any state agency with an internal audit program that does not have an internal audit policy create and implement such policy. In addition, we recommend that agencies with deficient policies modify their policies to ensure full compliance with the Utah Internal Audit Act (“act”).

Insufficient Policy Contributed to Auditor Limitations None of the three state agencies whose management required internal auditors to assume management or operational responsibilities cited in Finding 3 have established formal policy to avoid such activities. The Department of Natural Resources (DNR) does not have policy that limits an auditor’s role in the agency’s management activities, while the internal auditing policies for the departments of Corrections (UDC), Heath (DOH), and Human Services (DHS) are incomplete with regards to an auditor’s role in agency management activities. Such policy is required by statute and essential for a successful internal audit program. It appears that the lack of internal audit policies—in addition a lack of management understanding of the importance of independence from management and operational duties—contributed to the auditors’ acceptance of non-audit related duties. Acceptance of such responsibilities impairs the internal auditors’ ability to independently audit those areas in which they served a management function. Figure 4.1 shows an analysis of state agency compliance with regards to established internal audit policy.


Figure 4.1 Summary of Agency Compliance with the Utah Internal Audit Act Policy and Procedures Requirements

State AgencyFormal

Policy

Purpose

Defined

Authority and

Responsibility of

Auditors Defined

Places No

Limitations on the

Scope

Auditors Have No

Authority or

Responsibility for

the Activities

Audited

Administrative Services

Agriculture

Commerce

Corrections

Environmental Quality

Health

Heritage and Arts

Human Services

Natural Resources

Public Safety

Tax Commission

Transportation

Workforce Services

Complete Incomplete MissingLegend

Only seven of the 13 state agencies that are statutorily required to have an internal audit program have actually established formal policies. Of those agencies that have formal internal audit policies, only three agencies meet all of the requirements of the act. Each of the agencies that have internal audit policies in place defined the purpose of the agency’s internal audit program and the authority and responsibility of the agency’s internal auditors, with the exception of DNR. Internal audit policy for DNR limits the purpose, authority, and responsibility of its internal audit program to investigations of alleged employee misconduct, which appears to limit the scope of the internal audit department’s work. However, it appears that DNR’s audit scope is more expansive than their written policies suggest. In addition, internal audit policies provided by the UDC, DOH, DHS, and the Department of Transportation (UDOT) only indirectly prohibit their internal audit offices from having authority or responsibility for the activities they audit. For example, the UDOT internal audit policy states that the auditors must be “organizationally independent,” but it does not clearly prohibit auditors from exercising authority or responsibility over the activities they audit, as required by statute and auditing standards.


Audit Policy Should Clearly Define Audit Program Role The act requires that each agency head prepare and adopt a formal policy that meets certain statutory requirements. Policy should define: (1) “the purpose of the agency’s internal audit function,” and (2) “the authority and responsibility of the agency’s internal auditors.” The Institute of Internal Auditors’ Standard 1000 echoes these obligations, requiring that, “The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter….” Clearly established policy grants formal authority for agency internal auditors to independently assess areas within the department and report any findings objectively and without limitation. Due to the effect that established internal audit policies have on preserving auditor effectiveness and objectivity, we recommend all state agencies with an internal audit program establish formal internal audit policies in compliance with the act.

Recommendations

1. We recommend that the departments of Corrections, Health, Human Services, Natural Resources, and Transportation revise internal audit policy to include all statutory requirements.

2. We recommend that the departments of Administrative Services, Agriculture, Commerce, Environmental Quality, and Public Safety create and implement internal audit policies, as required by statute.




Finding 5 Effective Audit Committees Increase Management Accountability

The Utah Internal Audit Act (“act”) requires the agency internal audit director to report to the agency head and to an audit committee, if one has been established. A functional reporting relationship to an audit committee—which is recommended by auditing standards—strengthens an audit program’s ability to audit independently by limiting management control over audit scope and findings. State agencies are the only entities cited in the act that do not use independent audit committees. We recommend that the governor consider requiring state agency internal audit directors to functionally report to an audit committee, as encouraged by audit standards. We also recommend that the Legislature clarify the act to allow an audit committee to serve multiple state agencies.

Functional Reporting to an Audit Committee Increases Auditor Effectiveness and Objectivity The internal audit director must report to the agency head and to the audit committee, if one has been established. The act states,

“The agency head shall ensure that the agency internal audit director reports to the agency head and to the audit committee, if one has been established….”

The Institute of Internal Auditors (IIA) recommends facilitating organizational independence through dual reporting. This relationship is described in Practice Advisory 1110-1: Organizational Independence:

“The chief audit executive (CAE), reporting functionally to the board3 and administratively to the organization’s chief executive officer, facilitates organizational independence.”

An effective audit committee limits management control over audit findings while providing a greater assurance of auditor independence. A functional reporting relationship to an appropriately-established audit committee would have likely prevented internal auditors from performing management or operational duties mentioned in Finding 3. IIA standards further define the difference between functional and administrative reporting. Figure 5.1 contrasts some of the differences between the two reporting lines, as defined by the IIA.

3 The IIA’s definition of an “audit board” is a similar definition of the act’s definition of an “audit committee.”

Therefore, an “audit board” defined by the IIA is considered the same entity as an “audit committee” referenced in the act.


Figure 5.1 IIA Reporting Definitions

Functional Reporting (Committee/Board) Administrative Reporting (Agency Head)

Approves audit charter Facilitates budget and management accounting

Approves audit plan and risk assessment Facilitates human resource administration Communicates with CAE, including private meetings without management

Facilitates internal communication

Appoints, evaluates, and removes CAE Administers policies and procedures Approves salary decisions for the CAE Determines whether audit scope or budgetary limitations impede audit

Source: Institute of Internal Auditors

According to the IIA, in an ideal reporting relationship, an internal audit director, or CAE, reports functionally to an audit committee and administratively to the chief executive officer, or agency head. Figure 5.2 demonstrates this reporting structure.

Figure 5.2 Dual Audit Reporting

The AICPA states the following advantages for audit committees for government agencies:

Improved financial practice and reporting

Influence appropriate action against fraud

Enhanced internal audit function

Enhanced external audit function In order to increase auditor independence and impact, we recommend that the governor consider creating an audit committee for state agencies. Standards further demonstrate the importance of the qualifications of the audit committee members.

Audit Committee

Functional Reporting

Agency Head or CEO

Administrative Reporting

Chief Audit Executive


An Audit Committee Should Include Members Who Do Not Have Administrative Responsibilities Within the Agency

The act stipulates that “[e]ach appointing authority may establish an audit committee to monitor the activities of the agency internal audit organization.” Statute defines the governor as the appointing authority for state agencies. According to the act, the audit committee is “a standing committee whose members are appointed by an appointing authority.” Statute requires that audit committee members be appointed,

(a) from members of the agency governing board; and (b) from individuals who do not have administrative responsibilities within the agency who have the expertise to provide effective oversight of and advice about internal audit activities and services. (emphasis added)

Additionally, the act defines an agency governing board as “any board or commission that has policy making and oversight responsibility over the agency, including the authority to appoint and remove the agency director.” Of the state agencies subject to this audit, only the state Tax Commission has an agency governing board that fits this definition. All state agency audit committees/boards must be composed solely of “individuals who do not have administrative responsibilities within the agency.” In addition, IIA supplemental guidance dictates that an audit committee/board strive to, “[i]nclude independent members who collectively possess sufficient knowledge of audit, finance, risk, and control.”

State Agencies Do Not Properly Use Audit Committees Though encouraged by auditing standards, and allowed by the act, none of the four governors in office since the act’s passage have appointed an audit committee. All other appointing authorities, however, have established audit committees, to which the internal auditors functionally report. Figure 5.3 outlines the use of audit committees by appointing authorities of the four state entities cited by the act and the legislative auditors.


Figure 5.3 Use of Audit Committees by “Appointing Authorities” Entity Appointing Authority Audit Committee?

[Executive Branch] State Agencies Governor No

Judicial Branch Agencies Judicial Council Yes

Higher Education Entities Board of Regents Yes

State Office of Education Board of Education Yes

Legislative Branch* Legislative Management Committee Yes *See Utah Code 36-12-8(1) Source: Utah Code 36I-5-102(3)

The state agency internal audit offices are the only audit entities governed by the act that do not report functionally to an audit committee. Though not subject to the act, the legislative auditors also report to an audit committee. Though it would increase the independence and effectiveness of internal audit programs, appointing an audit committee for each state agency may present logistical challenges. The act appears to require that, if used, audit committees are restricted to individual state agency jurisdiction and, therefore, could not serve as audit committees for multiple state agencies. In order to increase the use of audit committees and improve state agency audit program independence, we recommend that the Legislature clarify the act to allow for audit committees to serve multiple state agencies. Audit Committees Comprised of Management Limit Internal Audit Program Independence and Effectiveness in Two State Agencies. The Department of Transportation (UDOT) and the Department of Workforce Services (DWS) each have an audit committee consisting of employees with administrative functions that were not appointed by the governor. Though these committees appear to have been created as an extension of the agency head with the intent of improving the audit programs, they each perform functions consistent with the statutorily-defined functions of an audit committee, including oversight of the internal audit program. Performance of these functions jeopardizes the audit programs’ independence. Figure 5.4 illustrates how DWS’ “audit board” policy appears to function as an audit committee defined in statute.


Figure 5.4 Comparison of Statutorily-Defined Audit Committee Duties and DWS Audit Board Policy and Functions

Utah Code § 63I-5-301 DWS Internal Audit Policies and Procedures: Roles and Responsibilities of the Director of Internal Audit

(3) The audit committee shall: The Director of Internal Audit communicates to the Audit Board and senior management for review and/or approval of:

(a) consent to the appointment or removal of the agency internal audit director as proposed by the agency head

N/A

(b) consent to the internal auditing policies proposed by the agency head

a. Changes to the Internal Audit Charter based on periodic review.

(c) review and approve the annual internal audit plan and budget

g. The internal audit activity’s plans and resource requirements, including significant interim changes, and the impact of resource limitations.

(d) review internal and external audit reports, follow-up reports, and quality assurance reviews of the internal audit office

f. The results of the quality assurance and improvement program.

(e) periodically meet with the agency internal audit director to discuss pertinent matters, including whether there are any restrictions on the scope of audits.

c. A report on the organizational independence of the internal audit activity annually.

Source: Utah Internal Audit Act, DWS Internal Audit Policies and Procedures

As Figure 5.4 demonstrates, the DWS audit board fulfills five of the six required duties of the audit committee as outlined in the act, including reviewing/approving internal auditing policy, the audit plan, and quality assurance reviews. Additionally, according to its internal audit charter, the DWS internal audit director “reports functionally to the Audit Board.” Though called a different name, the “audit board” appears to perform similar functions to an audit committee. An audit committee, which provides influence for the direction and scope of internal audits, limits the internal auditor’s independence and overall effectiveness when it is comprised of members of agency management and staff that might be subject to an internal audit. DWS’ audit board consists of the executive management team, the administrative support division director, general counsel, and a service area director. Agency heads may find value in having an informal committee to advise him/her on agency risk; however, this advisory committee should not provide governance to the internal audit program nor should it have the ability to influence audit prioritization, modify the audit scope, or affect audit findings. Therefore, we recommend that UDOT and DWS only use the existing audit committees in an advisory role rather than an oversight role. Audit committees that serve an advisory function should not participate in functional duties listed in Figure 5.2 and Utah Code 36I-5-301.


Recommendations

1. We recommend that the Legislature clarify the act to allow for an audit committee to serve multiple state agencies.

2. We recommend that the governor consider having state agency internal audit directors functionally report to an audit committee, as encouraged by audit standards.

3. We recommend that UDOT and DWS only use the existing audit committees in an

advisory role rather than an oversight role.


Appendix A




Appendix A Utah Internal Audit Act

63I-5-101. Title.

This chapter is known as the "Utah Internal Audit Act."

63I-5-102. Definitions.

As used in this chapter:

(1) "Agency head" means a cabinet officer, an elected official, an executive director, or a

board or commission vested with responsibility to administer or make policy for a state

agency.

(2) "Agency internal audit director" or "audit director" means the person appointed by the

agency head, with the approval of the audit committee if one has been established, to

direct the internal audit function for the state agency.

(3) "Appointing authority" means:

(a) the governor, for state agencies;

(b) the Judicial Council, for judicial branch agencies;

(c) the Board of Regents, for higher education entities; and

(d) the State Board of Education, for the State Office of Education.

(4) "Audit committee" means a standing committee whose members are appointed by an

appointing authority:

(a) from members of the agency governing board; and

(b) from individuals who do not have administrative responsibilities within the agency

who have the expertise to provide effective oversight of and advice about internal audit

activities and services.

(5) "Audit plan" means a list of audits to be performed by the internal audit organization

within a specified period of time.

(6) "Agency governing board" is any board or commission that has policy making and

oversight responsibility over the agency, including the authority to appoint and remove

the agency director.


(7) "Higher education entity" means the board of regents, the institutional councils of

each higher education institution, and each higher education institution.

(8) "Internal audit" means an independent appraisal activity established within a state

agency as a control system to examine and evaluate the adequacy and effectiveness of

other control systems within the agency.

(9) "Judicial branch agency" means each administrative entity of the judicial branch.

(10) (a) "State agency" means:

(i) each department, commission, board, council, agency, institution, officer, corporation,

fund, division, office, committee, authority, laboratory, library, unit, bureau, panel, or

other administrative unit of the state; and

(ii) each state public education entity.

(b) "State agency" does not mean:

(i) a legislative branch agency;

(ii) an independent agency;

(iii) a county, municipality, school district, local district, or special service district; or

(iv) any administrative subdivision of a county, municipality, school district, local

district, or special service district.

63I-5-201. Internal auditing programs -- State agencies.

(1) (a) The Departments of Administrative Services, Agriculture, Commerce, Heritage

and Arts, Corrections, Workforce Services, Environmental Quality, Health, Human

Services, Natural Resources, Public Safety, and Transportation; and the State Tax

Commission shall conduct various types of auditing procedures as determined by the

agency head or governor.

(b) The governor may, by executive order, require other state agencies to establish an

internal audit program.

(c) An agency head may establish an internal audit program for the agency head's agency

if the agency administers programs that:

(i) might pose a high liability risk to the state; or

(ii) are essential to the health, safety, and welfare of the citizens of Utah.


(2) (a) The Office of the Court Administrator shall conduct various types of auditing

procedures as determined by the Judicial Council, including auditing procedures for

courts not of record.

(b) The Judicial Council may, by rule, require other judicial agencies to establish an

internal audit program.

(c) An agency head within the judicial branch may establish an internal audit program for

the agency head's agency if the agency administers programs that:



(3) (a) The University of Utah, Utah State University, Salt Lake Community College,

Utah Valley University, and Weber State University shall conduct various types of

auditing procedures as determined by the Board of Regents.

(b) The Board of Regents may issue policies requiring other higher education entities or

programs to establish an internal audit program.

(c) An agency head within higher education may establish an internal audit program for

the agency head's agency if the agency administers programs that:



(4) The State Office of Education shall conduct various types of auditing procedures as

determined by the State Board of Education.

(5) Subject to Section 32B-2-302.5, the internal audit division of the Department of

Alcoholic Beverage Control shall conduct various types of auditing procedures as

determined by the Alcoholic Beverage Control Commission.

63I-5-301. Audit committee -- Powers and duties.

(1) Each appointing authority may establish an audit committee to monitor the activities

of the agency internal audit organization.

(2) The appointing authority shall ensure that audit committee members have the

expertise to provide effective oversight of and advice about internal audit activities and

services.


(3) If an audit committee has been established, the audit committee shall:

(a) consent to the appointment or removal of the agency internal audit director as

proposed by the agency head;

(b) consent to the internal auditing policies proposed by the agency head;

(c) review and approve the annual internal audit plan and budget;

(d) review internal and external audit reports, follow-up reports, and quality assurance

reviews of the internal audit office; and

(e) periodically meet with the agency internal audit director to discuss pertinent matters,

including whether there are any restrictions on the scope of audits.

63I-5-302. Agency head -- Powers and duties.

(1) For each agency that establishes an internal audit program, the agency head shall:

(a) prepare and adopt, or if an audit committee has been established, propose to the audit

committee, a formal policy that defines:

(i) the purpose of the agency's internal audit program;

(ii) the authority and responsibility of the agency's internal auditors; and

(b) ensure that the policy:

(i) places no limitations on the scope of the internal audit department's work; and

(ii) declares that auditors are to have no authority or responsibility for the activities they

audit.

(2) The agency head shall appoint or employ an agency internal audit director with the

consent of the audit committee, if an audit committee has been established.


(3) The agency head shall ensure that:

(a) the audit director is allowed to employ a sufficient number of professional and support

staff to implement an effective program of internal auditing;

(b) compensation, training, job tenure, and advancement of internal auditing staff is based

upon job performance;

(c) the audit director and staff collectively possess the knowledge, skills, and experience

essential to the practices of the profession and are proficient in applying internal auditing

standards, procedures, and techniques;

(d) the internal audit organization has employees who are qualified in disciplines such as

accounting, business management, public administration, human resource management,

economics, finance, statistics, electronic data processing, engineering, and law as needed

to meet the audit responsibilities;

(e) internal audit staff are free of operational and management responsibilities that would

impair their ability to make independent audits of any aspects of the agency's operations;

(f) the audit director and the internal audit staff have access to all personnel and any

records, data, and other information of the state agency that they consider necessary to

carry out their assigned duties; and

(g) the agency internal audit director reports to the agency head and to the audit

committee, if one has been established, and has freedom of access to the agency head to

ensure that the director is responsive to the agency head's specific requests, directions,

and needs.

(4) The agency internal audit director may, within budgetary constraints, contract with

consultants to assist with audits.

(5) The agency head shall either:

(a) approve the annual internal audit plan and budget prepared by the agency internal

audit director; or

(b) if an audit committee has been established, review the plan and budget and submit

them to the audit committee for approval.


63I-5-401. Duties of the agency internal audit director.

(1) The agency internal audit director may:

(a) furnish independent analyses, appraisals, and recommendations that may, depending

upon the audit scope, identify:

(i) the adequacy of the state agency's systems of internal control;

(ii) the efficiency and effectiveness of agency management in carrying out assigned

responsibilities; and

(iii) the agency's compliance with applicable laws, rules, and regulations;

(b) submit audit reports directly to the agency head and to the audit committee, if one has

been established;

(c) conduct internal audits of state agency programs, activities, and functions that may

consist of one or more of the following objectives:

(i) to verify the accuracy and reliability of agency records;

(ii) to assess compliance with management policies, plans, procedures, and regulations;

(iii) to assess compliance with applicable laws, rules, and regulations;

(iv) to evaluate the efficient and effective use of agency resources; and

(v) to verify the appropriate protection of agency assets;

(d) prepare audit reports of findings;

(e) review and evaluate internal controls over the state agency's accounting systems,

administrative systems, electronic data processing systems, and all other major systems

necessary to ensure the fiscal and administrative accountability of the state agency;

(f) develop audit plans containing the information required by Subsection (2) to be based

on the findings of periodic risk assessments;

(g) upon request, make a copy of the approved audit plan available to the state auditor,

legislative auditor, or other appropriate external auditor to assist in planning and

coordination of any external financial, compliance, electronic data processing, or

performance audit;

(h) determine the scope and assignment of the audits;


(i) perform an audit of a special program, activity, function, or organizational unit at the

direction of the agency head;

(j) maintain the classification of any public records consistent with Title 63G, Chapter 2,

Government Records Access and Management Act;

(k) be subject to the same penalties as the custodian of those public records for violating

Title 63G, Chapter 2, Government Records Access and Management Act; and

(l) identify in the audit report any abuse, illegal acts, errors and omissions, or conflicts of

interest.

(2) (a) The audit plan required by this section shall:

(i) identify the individual audits to be conducted during each year;

(ii) identify the related resources to be devoted to each of the respective audits;

(iii) ensure that internal controls are reviewed periodically as determined by the agency

head or the audit committee, if one has been established; and

(iv) ensure that audits that evaluate the efficient and effective use of agency resources are

adequately represented in the plan.

(b) The agency internal audit director shall submit the audit plan to the agency head and

the audit committee, if one has been established, for approval.

(3) The agency internal audit director shall ensure that:

(a) audits are conducted in accordance with professional auditing standards such as those

published by the Institute of Internal Auditors, Inc., the American Institute of Certified

Public Accountants and, when required by other law, regulation, agreement, contract, or

policy, in accordance with Government Auditing Standards, issued by the Comptroller

General of the United States;

(b) all reports of audit findings issued by internal audit staff shall include a statement that

the audit was conducted according to the appropriate standards;

(c) public release of reports of audit findings comply with the conditions specified by the

state laws and rules governing the state agency;

(d) copies of all reports of audit findings issued by the internal audit staff are available to

the Offices of the Legislative Auditor General and the State Auditor upon request; and


(e) significant audit matters that cannot be appropriately addressed by the agency internal

audit office are referred to either the Office of Legislative Auditor General or the Office

of the State Auditor.


Appendix B




Appendix B Michigan Executive Order No. 2007-31

CONSOLIDATING INTERNAL AUDIT FUNCTIONS

EXECUTIVE REORGANIZATION

WHEREAS, Section 1 of Article V of the Michigan Constitution of 1963 vests the executive power of the State of Michigan in the Governor;

WHEREAS, Section 2 of Article V of the Michigan Constitution of 1963 empowers the Governor to make changes in the organization of the executive branch or in the assignment of functions among its units that the Governor considers necessary for efficient administration;

WHEREAS, Section 53 of Article IV of the Michigan Constitution of 1963 limits the duties of the legislative Auditor General to the conduct of post audits of financial transactions and accounts of this state and state entities and performance post audits thereof;

WHEREAS, under Section 485 of The Management and Budget Act, 1984 PA 431, MCL 18.1485, each principal department within the executive branch is required to establish and maintain its own internal accounting and administrative control system and appoint its own internal auditor;

WHEREAS, the Department of Management and Budget is required to minimize the duplication of activities among state agencies, between state agencies and businesses, to effect a better organization and consolidation of functions among state agencies, and to establish, administer, operate, or provide centralized services when advantageous to this state;

WHEREAS, consolidation of internal audit functions within the Department of Management and Budget will promote a more unified approach to internal audit functions within the executive branch of state government and improve the effectiveness of financial controls;

WHEREAS, consolidating state internal audit functions will increase administrative efficiencies;

WHEREAS, there is a continuing need to reorganize functions amongst state departments to ensure efficient administration and effectiveness of government;

NOW THEREFORE, I, Jennifer M. Granholm, Governor of the State of Michigan, by virtue of the power vested in the Governor by the Michigan Constitution of 1963 and Michigan law, order the following:


I. DEFINITIONS

As used in this Order:

A. "Department of Management and Budget" means the principal department of state government created under Section 121 of The Management and Budget Act, 1984 PA 431, MCL 18.1121.

B. "Office of the State Budget Director" means the office created within the Department of Management and Budget under Section 321 of The Management and Budget Act, 1984 PA 431, MCL 18.1321.

C. "State Budget Director" means the individual appointed by the Governor pursuant to Section 321 of The Management and Budget Act, 1984 PA 431, MCL 18.1321.

II. TRANSFERS TO OFFICE OF THE STATE BUDGET DIRECTOR

A. All the authority, powers, duties, functions, responsibilities, rule-making authority, personnel, equipment, and budgetary resources of internal auditors within principal departments of this state under Sections 486 and 487 of The Management and Budget Act, 1984 PA 431, MCL 18.1486 and 18.1487, are transferred to the Office of the State Budget Director. The transfers under this paragraph shall not be construed to inhibit the head of a principal department, elected or appointed, from supervising the powers, duties, and functions of that principal department.

B. All of the authority, powers, duties, functions, responsibilities of a principal department of this state to appoint and supervise an internal auditor for a principal department under Section 486 of The Management and Budget Act, 1984 PA 431, MCL 18.1486, are transferred to the State Budget Director. The State Budget Director may appoint an internal auditor to serve as the internal auditor for one or more principal departments.

C. The Office of the State Budget Director shall operate an internal audit services center to assist departments and agencies within the executive branch with accounting functions and may develop standardized policies and procedures for the performance of accounting functions.

III. ADMINISTRATION OF INTERNAL AUDIT FUNCTIONS

A. Each internal auditor appointed by the State Budget Director shall be a member of the classified state civil service. Each internal auditor shall report to and be under the general supervision of the State Budget Director.

B. A person shall not prevent or prohibit an internal auditor from initiating, carrying out, or completing any audit or investigation. An internal auditor shall be protected pursuant to the Whistleblowers' Protection Act, 1980 PA 469, MCL 15.361 to 15.369.


C. An internal auditor appointed by the State Budget Director under Section II.B shall do all of the following:

1. Receive and investigate any allegations that false or misleading information was received in evaluating a principal department's internal accounting and administrative control system or in connection with the preparation of the biennial report on the system.

2. Conduct and supervise audits relating to financial activities of a principal department's operations.

3. Review existing activities and recommend policies designed to promote efficiency in the administration of a principal department's programs and operations.

4. Recommend policies for activities to protect this state's assets under the control of a principal department, and to prevent and detect fraud and abuse in the principal department's programs and operations.

5. Review and recommend activities designed to ensure that a principal department's internal financial control and accounting policies are in conformance with the accounting directives issued by the Office of the State Budget Director pursuant to Sections 421 and 444 of The Management and Budget Act, 1984 PA 431, MCL 18.1421 and 18.1444.

6. Provide a means to keep the State Budget Director and the head of a principal department fully and currently informed about problems and deficiencies relating to the administration of the principal department's programs and operations, and the necessity for, and progress of, corrective action.

7. Conduct other audit and investigative activities as assigned by the State Budget Director.

8. Prepare biennial reports for principal departments required under Section 485(4) of The Management and Budget Act, 1984 PA 431, MCL 18.1485.

D. Each internal auditor appointed by the State Budget Director under Section II.B shall adhere to appropriate professional and auditing standards in carrying out any financial or program audits or investigations.

E. Each internal auditor appointed by the State Budget Director under Section II.B shall report immediately to the State Budget Director and the principal department head if the internal auditor becomes aware of particularly serious or flagrant problems, abuses, or deficiencies relating to the administration of programs or operations of a principal department or agencies within the department.


IV. IMPLEMENTATION OF TRANSFERS

A. The State Budget Director and the directors of all principal departments within the executive branch of state government shall jointly identify the program positions and administrative function positions that will be transferred to the Office of the State Budget Director under this Order. The State Budget Director and the directors of all principal departments shall make every effort to develop the agreements specifying the positions to be transferred by the effective date of this Order. In the event of a failure to reach an agreement on positions to be transferred under this Order, the State Budget Director shall develop a written recommendation specifying the positions to be transferred and submit the recommendation to the Governor for consideration and approval. All transfers to the Office of the State Budget Director shall be consistent with this Order and documented by a memorandum of understanding between the director of each principal department affected by this Order and the State Budget Director.

B. For the purpose of implementing this Order or facilitating the performance of internal audit functions, the Office of the State Budget Director may enter into a written agreement, including a service level agreement, with any other department or agency regarding the performance of internal audit functions.

C. The State Budget Director shall provide executive direction and supervision for the implementation of all transfers to the Office of the State Budget Director under this Order.

D. The State Budget Director shall immediately initiate coordination with department and agencies within the executive branch of state government to facilitate the transfers under this Order. Each principal department affected by the transfers under this Order shall issue, after consultation with the State Budget Director, a memorandum of record identifying any pending settlements, issues of compliance with applicable federal and state laws and regulations, or other obligations to be resolved by the transferring department related to the transfers under this Order.

E. Departments, agencies, and state officers within the executive branch of state government shall fully and actively cooperate with the Office of the State Budget Director in the implementation of this Order. The State Budget Director may request the assistance of other departments, agencies, and state officers with respect to personnel, budgeting, procurement, telecommunications, information systems, legal services, and other issues related to implementation of the transfers under this Order, and the departments and agencies shall provide the assistance requested.

F. The State Budget Director shall administer the functions transferred under this Order in such ways as to promote efficient administration and shall make internal organizational changes as may be administratively necessary to complete the realignment of responsibilities under this Order.

G. The State Budget Director may delegate within the Office of the State Budget Director


a duty or power conferred on the State Budget Director by this Order or by other law, and the individual to whom the duty or power is delegated may perform the duty or exercise the power at the time and to the extent that the duty or power is delegated by the State Budget Director.

H. All records, property, grants, and unexpended balances of appropriations, allocations, and other funds used, held, employed, available or to be made available to any entity for the authority, activities, powers, duties, functions, and responsibilities transferred under this Order to the Office of the State Budget Director are transferred to the Office of the State Budget Director.

V. MISCELLANEOUS

A. The State Budget Director shall determine and authorize the most efficient manner possible for handling financial transactions and records in this state's financial management system necessary to implement this Order.

B. All rules, orders, contracts, and agreements relating to the functions transferred under this Order lawfully adopted prior to the effective date of this Order shall continue to be effective until revised, amended, repealed, or rescinded.

C. Any suit, action, or other proceeding lawfully commenced by, against, or before any entity affected by this Order, shall not abate by reason of the taking effect of this Order. Any suit, action, or other proceeding may be maintained by, against, or before the appropriate successor of any entity affected by this Order.

D. The invalidity of any portion of this Order shall not affect the validity of the remainder of the Order, which may be given effect without any invalid portion. Any portion of this Order found invalid by a court or other entity with proper jurisdiction shall be severable from the remaining portions of this Order.

In fulfillment of the requirements under Section 2 of Article V of the Michigan Constitution of 1963, the provisions of this Order are effective October 1, 2007 at 12:01 a.m.

Given under my hand this 24th day of May, in the year of our Lord, two thousand and seven.

_______________________________________ JENNIFER M. GRANHOLM GOVERNOR

BY THE GOVERNOR: _______________________________________ Secretary of State




Agency Response



Utah State Capitol · 350 North State Street, Suite 150 · PO Box 142210 · Salt Lake City, UT 84114-2210 · Telephone (801) 538-1705 · www.utah.gov

GOVERNOR’S OFFICE OF MANAGEMENT AND BUDGET

KRISTEN COX

Executive Director

State of Utah

GARY R. HERBERT

Governor

GREGORY S. BELL

Lieutenant Governor

August 20, 2013

David S. Pulsipher, CIA, CFE

Office of the Utah State Auditor

E310 Utah State Capitol Complex

Salt Lake City, UT 84114

Re: Performance Audit No. 13-02: A Performance Audit of State Agency Internal Audit Services

Dear Mr. Pulsipher:

Thank you for this opportunity to respond to Performance Audit No. 13-02: A Performance

Audit of State Agency Internal Audit Services. The Governor’s Office of Management and

Budget (GOMB) recognizes the importance of auditing in state government and of state agencies

complying with the requirements of the Utah Internal Audit Act (Act).

When properly conducted, internal audits can be a valuable tool for agency management in

ensuring that resources are used wisely to meet the agency’s core mission and objectives.

However, to actually add value to agency operations, it is important that internal audits not

become just a hoop to jump through that diverts resources or unnecessarily distracts from

agencies’ work.

Below are our responses, in italics, to your findings and recommendations.

Finding 1: Contrary to Statute, Some State Agencies Do Not Have an Internal Audit

Program

1. We recommend that the departments of Agriculture, Commerce, Environmental

Quality, and Public Safety establish internal audit programs. This may include a

shared audit office, as recommended in Finding 2.

Current Statute is Ambiguous

Technically, the Utah Internal Audit Act does not require the departments of Agriculture,

Commerce, Environmental Quality, and Public Safety to establish an internal audit program, as

explained in more detail below. Although the audit report seems to assume that the Act’s

requirements are clear, we note that the construction of the statute is not clear. In light of that

statutory ambiguity, we believe the audit report misses an important opportunity to strengthen

the state’s internal audit processes by not recommending that the Governor and Legislature

more clearly define in statute what is required of agencies with regard to internal audits.

Page | 59


Section 63I-5-201 addresses both mandatory and discretionary audit activities. Establishing an

internal audit program falls under the list of discretionary activities.

For example, when outlining mandatory activities, Section 63I-5-201 states that specified

agencies “shall conduct various types of auditing procedures as determined by the agency head

or governor,” but does not require those agencies to create an internal audit program. Similar

language is used for other entities when discussing mandatory activities (e.g., the Office of the

Court Administrator shall conduct various types of auditing procedures as determined by the

Judicial Council, the State Office of Education shall conduct various types of auditing

procedures as determined by the State Board of Education, etc.).

When addressing discretionary activities, Section 63I-5-201 uses the term “internal audit

program” (e.g., the governor may require other state agencies to establish an internal audit

program, an agency head for certain high-risk agencies may establish an internal audit

program, the Judicial Council may require other judicial agencies to establish an internal audit

program, etc.).

Because of this consistent use of different terms, a reasonable interpretation is that the terms

have different meanings. Otherwise, the identical term would have been used consistently

throughout the statute.

We also note that the terms “various types of auditing procedures as determined by the agency

head or governor” or “internal audit program” are not defined in the Act, so it is unclear

exactly what the differences between the terms may be. For example, would a Division of

Finance spot check and survey reported to the agency head satisfy the statutory requirement of

conducting “various types of auditing procedures as determined by the agency head or

governor”?

Because of the initial ambiguities in Section 63I-5-201, it is unclear the extent to which other

requirements of the Act apply to an agency. For example, Section 63I-5-302 lists several

requirements for “each agency that establishes an internal audit program” (emphasis added).

Do these requirements apply only to the agencies for which the term “internal audit program” is

used under Section 63I-5-201 (and for whom the internal audit program is discretionary) or do

they apply to other agencies?

We also note that audit report, including Finding 1, uses the term “internal audit program”

when the Act actually requires specified agencies to conduct “various types of auditing

procedures as determined by the agency head or governor.”

The audit report also states that agency heads are required to appoint an internal audit director.

Again, current statute is ambiguous on this point. The actual language of Subsection 63I-5-

302(2) reads, “The agency head shall appoint or employ an agency internal audit director with

the consent of an audit committee, if an audit committee has been established.” Does this

requirement only apply to agencies with an audit committee? Or do all state agencies have to

employ an internal audit director? Or do only specified agencies or agencies that establish an

internal audit program have to appoint an internal audit director?

Page | 60


Yet another example of ambiguity in the Act relates to an audit plan. Subsection 63I-5-401(1)

states that an agency internal audit director may conduct certain activities, including developing

audit plans. Subsection 63I-5-401(2) then mentions audit plans “required” by this section, when

the subsection authorizing the audit plans provides discretionary powers to the audit director.

GOMB Recommends that the Legislature Clarify Statute and Provide Appropriate Funding to Strengthen Internal Audit Activities

In highlighting these extensive ambiguities in statute, we do not mean to de-emphasize the

importance of internal audits. To the contrary, we believe that internal audits can be an

important management tool for discovering and addressing issues before they become major

problems. However, we highlight these many ambiguities in statute to emphasize that the

ambiguity of current statute may be an impediment to agencies understanding what constitutes a

good internal audit program.

In light of these many ambiguities in statute, GOMB would like to work in partnership with the

Legislature (a) to clarify statute in a way that makes statute meaningful to agencies yet allows

agencies the appropriate flexibility to respond to the needs of the agency, and, (b) to provide

funding as appropriate for the desired level of internal auditing activities.

Along these lines, while recognizing that the appropriate action would have been to also revise

statute as needed when this action was taken, in some cases, we note that the Legislature

specifically approved reductions to or eliminations of auditing activities during recent budget

cuts. If additional resources are provided to auditing, they will come by redirecting resources

from other activities currently being conducted by the agency or from new resources that could

have been used for other functions. In other words, there is an opportunity cost to conducting

audits.

With the statutory ambiguities mentioned above in mind, to the extent that agencies actually are

out of compliance with the Act, GOMB concurs that the agencies should take the steps necessary

to comply with statute. For example, if agency heads specified by statute are not conducting

“various types of auditing procedures” as the agency heads determine to be appropriate in

helping them achieve their agency’s objectives, they should do so.

External Audits

In addition to internal audits that were conducted throughout state agencies, we also highlight

the fact that state agencies underwent over 180 external audits in 2013. Although external audits

and internal audits can serve different purposes, the audit report seems to leave the impression

that vast amounts of funds may receive no audit coverage at all if an internal audit is not

conducted. We note that many programs undergo extensive external audits, such as federal

compliance audits, that may provide an agency head with information similar to that which

would be provided through an internal audit.

Additional Agency-Specific Responses

While indicating that it has taken and continues to take steps to improve audit functions, the

Department of Commerce believes that it is complying with current statute in conducting various

types of auditing procedures as determined by the agency head.

Page | 61


Finding 2: Centralized Audit Coordination Could Improve Agency Oversight

1. We recommend that the Legislature create a shared internal audit office to conduct

regular risk-based internal audits on agencies that do not have internal audit programs

and to conduct additional internal audits at the request of the Governor’s Office.

2. We recommend that the Legislature review and reassess which agencies should

implement individual internal audit programs and which should utilize a shared

office.

3. We recommend that the Governor’s Office facilitate resource sharing—including

staff, audit tools, and training opportunities—among state agency internal audit

offices.

Current Practice Consistent with Statute We note that not having a shared audit office is consistent with current statute.

Centralized Audit Functions Have Both Advantages and Disadvantages The audit report identifies three other states that have centralized internal audit programs.

However, the audit report does not include any evidence that these other states have achieved

better results than Utah’s current audit system, only that alternative structures are in place in

these other states.

While centralizing audit resources could have advantages, such as providing additional audit

resources to smaller agencies, centralization may also have disadvantages, which, regrettably,

are not adequately addressed in the audit report. A centralized approach may result in audits

losing effectiveness as a management tool due to centralized auditors’ lack of specific knowledge

of the agency or potential lack of trust between the auditors from a separate entity and the

agency head. Centralized auditors may essentially become external auditors to the agency, even

if they are internal to the administration. In considering centralization, the Governor and

Legislature should consider both advantages and disadvantages.

Given the already-extensive audit oversight of agencies through external and internal audits, it is

unclear if allocating more resources to audits in all agencies, such as through a centralized

audit office, would be the optimal use of taxpayer dollars. This is an issue that will likely require

more examination, including a comparison of the marginal benefit of additional auditing

activities to the marginal benefit of making changes to the agency’s core services, such as

through the Governor’s SUCCESS program that focuses on business process management, as

well as marginal costs.

Audit Coordination Alternatives

Use of a shared internal audit office as an agency resource, particularly for small agencies,

deserves consideration due to its potential to provide audit expertise in a cost-effective manner.

However, GOMB is not in favor of requiring agencies with internal audit programs to utilize a

centralized internal audit office if they believe their in-house internal audit programs would

serve the agency better.

If the Legislature deems it appropriate to amend the Utah Internal Audit Act to create a shared

internal audit office, GOMB recommends that it be placed in the Department of Administrative

Services, which provides centralized support services for other state agencies. This change

would be consistent with the recent move of the Office of Inspector General of Medicaid Services

from the Governor’s Office to the Department of Administrative Services.

Page | 62


Another audit coordination alternative would be for smaller agencies to utilize the audit

expertise of larger agencies, such as when an agency with an established internal audit program

“loans” an auditor to a smaller agency.

In addition, GOMB is considering establishing an audit coordination function within GOMB to

help coordinate external audits of state agencies and to help interested agencies improve

internal audits. This function could benefit smaller agencies in particular by facilitating training

opportunities and sharing best practices among agencies.

Finding 3: Performing Operational Responsibilities Jeopardizes Auditor Independence

1. We recommend that the Department of Natural Resources executive director separate

the duties of internal audit director and finance director.

2. We recommend that the Department of Human Services executive director ensure

that the internal audit office discontinues involvement in management duties such as

writing agency policy and updating forecast models.

Agency-Specific Responses The Department of Natural Resources (DNR) agrees that there is a perceived conflict of interest

with the DNR Finance Director also overseeing internal audit operation. At the same time, DNR

indicates that it is difficult to find someone with enough technical expertise to properly audit

complex contracts and systems within the agency. Effective internal auditing requires someone

with as much technical expertise as a finance director to know where and how to look for

potential issues.

The Department of Human Services concurs with the finding and is in the process of extracting

the internal audit group from performing these functions in the future. It will prescribe in a

department policy that these types of activities are prohibited for the internal auditors.

Finding 4: Formalized Agency Policy Could Increase Internal Auditor Effectiveness

1. We recommend that the departments of Corrections, Health, Human Services, Natural

Resources, and Transportation revise internal audit policy to include all statutory

requirements.

2. We recommend that the departments of Administrative Services, Agriculture,

Commerce, Environmental Quality, and Public Safety create and implement internal

audit policies, as required by statute.

Formalized Policies Could Increase Audit Effectiveness

GOMB concurs that formal policies could help agencies use internal audits effectively. As

mentioned above, clarifying statute would assist agencies with these formal policies.

Agencies have indicated that they will comply with these recommendations either by creating

and implementing internal audit policies or by revising formal internal audit policies to contain

the elements listed in statute.

Page | 63


Finding 5: Effective Audit Committees Increase Management Accountability

1. We recommend that the Legislature clarify the act to allow for an audit committee to

serve multiple state agencies.

2. We recommend that the governor consider having state agency internal audit

directors functionally report to an audit committee, as encouraged by audit standards. 3. We recommend that UDOT and DWS only use the existing audit committees in an

advisory role rather than an oversight role.

Audit Committees Should Remain Discretionary and Agency Directors Should Be Provided Additional Statutory Flexibility in the Use of Audit Committees GOMB disagrees with this finding. We note that establishing an audit committee is clearly a

discretionary activity under current statute. We believe that current statute, in which audit

committees for internal audits are discretionary, is appropriate. Although audit committees may

have some advantages, as indicated in the audit report, they also have potential disadvantages,

which, regrettably, are not addressed in the audit report. Disadvantages include potentially

limiting the effectiveness of the internal audit as a tool for agency management and the potential

difficulty in finding those with sufficient expertise who do not have conflicts, such as being in

agency management or operations, to serve on the committee.

Concerning a statewide internal audit committee, an audit committee for multiple state agencies

would likely lack sufficient expertise to address in detail the wide variety of issues that would

come before the committee. We note that current statute requires this expertise for audit

committee members. For example, would a statewide audit committee have sufficient expertise to

effectively oversee technical internal audits in the Department of Transportation, Department of

Environmental Quality, Department of Veterans’ and Military Affairs, and Department of

Health, each of which have widely different missions and processes? In addition, rather than

being an internal management tool for agency management to use, this system may function

more like an external audit, and thus may lose many of the benefits of an internal audit.

Regarding the issue of advisory and oversight committees, we recommend that the Legislature

amend statute to provide agency directors with additional discretion in how to use audit

committees to best meet agency’s internal management purposes, rather than prescribing either

strictly an oversight role or an advisory role.

Thanks to you and your staff for your significant effort in conducting this audit and for your

consideration of these responses to your findings and recommendations.

Sincerely,

Kristen Cox

Executive Director

Governor’s Office of Management and Budget

Page | 64

Performance Audit No. 13-02 A Performance Audit of - Utah.gov

Documents